The Inland Revenue Department is unsure how many Kiwis had been scammed off the back of a fake tax refund email requesting bank account details.
IRD client Xavier Wallach showed the Herald the "dodgy" email he had been sent in a bid to alert others not to "fall for the trap".
Wallach said luckily he had already received his tax refund this year so knew straight away it was a scam.
"I work in digital marketing and I've been briefed on security measures so I knew it was dodgy but other people might fall for the trap," he said.
IRD said they had received more than 1170 reports from the public about the email scam since the end of June.
A spokesperson said scams have become more sophisticated over time and people need to be "very careful" when they receive unexpected emails.
"The links in the emails change all the time and we are having them taken down as the reports come in," they said.
"Often the links come back up again and we get them taken down again."
The scam email sent to Wallach told him to view the "secured file" to complete a refund form and process payment.
"We tried to send it to you automatically but were unable to do so as we don't have your Credit/ Debit Card details on file," it said.
The IRD spokesperson said they had received reports of various different versions of the scam email since June.
However, in an attempt to alert the public, regular messages are posted to their social media channels about scams.
"There is also a 'latest scams' section of www.ird.govt.nz and information about this particular scam will be up there soon," the spokesperson said.
Inland Revenue's tell-tale signs of scams
• The scammer may pressure you to make a decision or do something quickly.
• The email, phone call or text may be threatening. The scammer might want to be paid in unusual ways such as gift cards, bitcoins or money transfer systems.
• A scammer may ask for your bank account details. IRD says: "We will never ask you to email or text us this information – we will always ask you to supply this through myIR."
• They might ask for passwords to your online accounts. Legitimate organisations will never ask for passwords.
• Scammers often give website or email addresses that are wrong but look almost right. For example, they might send you to ird.co.nz, ird.qovt.nz or ird.gov.nz, instead of the correct ird.govt.nz